Securing digital data transmission in a communication network

ABSTRACT

A method for securing transmission of digital data in a communication network comprising a central station or a terminal and at least one device monitored by the central station via the communication network. The at least one device is configured to produce and to transmit a digital data stream to the central station or terminal. The at least one device further comprises a secure non-volatile memory for storing at least device specific information. The at least one device forms a data block based on at least the device specific information stored in the secure memory. The data block thus formed may compose additional data to be merged with the digital data stream produced by the at least one device. A modified digital data stream results from this merging operation and is transmitted by the at least one device to the central station or terminal.

INTRODUCTION

The present disclosure generally relates to IoT devices producingdigital data streams in a communication network. In particular, asolution for securing digital data transmission in the communicationnetwork is disclosed.

TECHNICAL BACKGROUND

The Internet is a global system of interconnected computers and computernetworks that use a standard Internet protocol as for example theTransmission Control Protocol (TCP) and Internet Protocol (IP) tocommunicate with each other. The Internet of Things (IoT) is based onthe idea that everyday objects, not just computers and computernetworks, can be readable, recognizable, locatable, addressable, andcontrollable via an IoT communications network as for example an ad-hocnetwork or the Internet.

There are a number of key applications for the IoT. For example, in thefield of smart grids and energy management, utility companies canoptimize delivery of energy to homes and businesses while customers canbetter manage energy usage. In the field of home and buildingautomation, smart homes and buildings can have centralized control overvirtually any device or system in the home or office, from appliances toplug-in electric vehicle security systems. In the field of assettracking, enterprises, hospitals, factories, and other largeorganizations can accurately track the locations of high-valueequipment, patients, vehicles, and so on. In the area of health andwellness, doctors can remotely monitor health of patients while peoplecan track the progress of fitness routines. As such, in the near future,increasing development in IoT technologies will lead to numerous IoTdevices surrounding a user at home, in vehicles, at work, and many otherlocations. IoT capable devices can provide substantial real-timeinformation about the environment of the user (e.g., likes, choices,habits, device conditions and usage patterns, images of location area,data from various environmental sensors associated with the IoT devices,energy consumption data, etc.).

In a further IoT devices application field, as for example camerastaking images from an area to be monitored generate image contentwithout any solution to ensure integrity of the images. In particular,when the images are transmitted to a monitoring central station orterminal via a communication network such as internet, some kind ofprotection is needed. The images may be used for live monitoring ortemporary storage for later use by the central station or terminal.There is an issue regarding information to indicate in a secure way atleast which camera has generated and transmitted the images. In additionto a specific identifier of the cameras, further information such ascamera location area or position coordinates, current date and time maybe necessary to ensure authenticity of the images. This informationwould guaranty that the images have not been modified or a camerasubstituted by another one.

SUMMARY

In order to provide solutions to the above-mentioned issues, embodimentsof the present disclosure propose a method for securing transmission ofdigital data in a communication network. The communication networkgenerally comprises a central station or a terminal and at least onedevice monitored by the central station via the communication network.The at least one device is configured to produce and to transmit adigital data stream to the central station or terminal. The at least onedevice further comprises a secure non-volatile memory for storing atleast device specific information data. The at least one device forms adata block based on at least the device specific information data storedin the secure memory. The data block thus formed may compose additionaldata to be merged with the digital data stream produced by the at leastone device. A modified digital data stream results from this mergingoperation and is transmitted by the at least one device to the centralstation or terminal.

The method may be performed on a network comprising a central stationmonitoring only one device as well as on a network where the centralstation monitors two or more devices.

According to an embodiment, the central station monitors at least onefirst and second device via the network, the at least one first andsecond device being configured to communicate with each other. Thedevice specific information data of the first device is provided to thesecond device and the device specific information data of the seconddevice is provided to the first device. The at least one first andsecond device each store the device specific information data of thefirst and second device in the secure non-volatile memory.

The additional data based on the data block is thus different for eachdevice thanks to the incorporated device specific information data.Therefore, the central station or terminal receives a modified digitaldata stream specific to each device belonging to the communicationnetwork.

According to the method, the device specific information data of thefirst device is provided to the second device and vice-versa so thateach device stores these specific identifiers in the secure memory.

In a general way, each device's memory stores the device specificinformation data of the device in question and the device specificinformation data of the other device belonging to a particular network.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 shows a communication network comprising devices monitored by acentral station and communicating with each other, each device producinga digital data stream to be transmitted towards the central station.

FIG. 2 shows the devices and the central station of FIG. 1 communicatingvia a global network such as Internet or a cloud system.

FIG. 3 shows a block schematic of a device including processing modulesconfigured to secure the digital data stream produced by the device andthe data link allowing communication with other devices of thecommunication network.

DETAILED DESCRIPTION

According to an embodiment illustrated by FIG. 1, several devices D1,D2, D3 . . . are monitored by a central station CST associated with adatabase DB. The devices D1, D2, D3 . . . communicate with the centralstation CST via a secure communication network and with each other.According to an embodiment, a first device D1 may communicate with asecond device D2 that communicates with a third device D3 that finallycommunicates with the first device D1. In general terms, the devices maycommunicate with each other in a mesh network mode via a secure channel.

According to a further embodiment, the devices D1, D2, D3 . . . maysecurely communicate with each other via the central station CST in astar shaped network mode. Each device is linked to the central stationwhich exchanges data with the devices in a secure way. In an exemplaryconfiguration as shown by FIG. 2, the devices may communicate with thecentral station CST via internet. The database DB may be associatedlocally with the central station CST or remotely via a securedconnection to internet as shown with dotted lines in FIG. 2.

A secure transmission channel may be established between two devices, adevice and the central station CST and the database DB according toknown methods using a common secret shared by the devices or methodsusing public and private encryption keys exchange protocols. The devicesmay comprise a non-volatile secure memory containing unique and secureddevice specific information data. The secure device specific informationdata may comprise a unique identifier specific to the device and otherdata as for example secret to be shared on the network and/or encryptionkeys for establishing secure links with other devices, the centralstation CST and the database DB.

The central station CST monitoring the secure communication network maystore reference data related to each device connected to thecommunication network in the database DB. The central station furtheranalyzes and processes data produced by the devices.

In an initialization phase of the secure communication network,preparation steps may be performed for securing data exchanges betweenthe devices and the central station and between the devices themselves,namely:

-   -   When the devices comprise already device specific information        data such as a unique identifier stored in the secure        non-volatile memory at manufacturing of the device, the        identifier may be transmitted to the central station CST for        registering into the database DB associated with said central        station CST. Each device may then transmit this unique        identifier to another device or the central station CST        transmits the registered identifiers to the devices.    -   The devices may generate a unique identifier at connection to        the secure communication network, based on unique device        specific information data as for example a unique identifier of        the device or a device Media Access Control (MAC) address or an        identifier of a chip integrated in the device or a combination        thereof. The generated identifier is then stored in the secure        non-volatile memory of each device and transmitted to the        central station CST as in the preceding embodiment.    -   When the devices do not comprise device specific information        data such as a unique identifier, the central station CST may        attribute a unique identifier to each device of the secure        communication network. The unique identifier can be randomly        generated by the central station CST or the database DB. This        identifier is then stored in the secure non-volatile memory of        the device together with the identifiers of the other devices        that are provided by the central station CST.

The network may comprise only devices having already a unique identifieror only devices without pre-stored identifier or a combination thereof.The central station CST may interrogate each device for acquiring theidentifiers or for attributing an identifier to the devices withoutidentifier.

The unique identifier of one or more devices on the network may beupdated or one or more devices may be removed or added to the networkmonitored by the central station CST. In this case, the central stationmay transmit to each device connected to the network an updated list ofunique identifiers. According to an embodiment, one or more updatedidentifiers may be pushed into the network in an analogous way than avirus which infects each connected device. The one or more updatedidentifiers are thus known by each device by propagation initiated bythe central station CST and stored in the secure non-volatile memory ofeach device.

After the initialization phase, each device of the network stores in thesecure non-volatile memory the identifier of all other devices inaddition to its own identifier.

A preferred application example discussed hereafter relates to devicesin form of monitoring cameras each producing a video stream to beprocessed by the central station. The cameras are configured to transmitthe produced video stream to the central station and to communicate witheach other either directly via a data link or via the central stationthrough the link used for transmitting the video stream.

The cameras further comprise a secure memory for storing at least aunique specific identifier and the identifiers of the other cameras.Each camera is configured to generate a data block based on the storedidentifiers and to merge with the video stream produced by the cameraadditional data comprising the data block. The additional data may forma watermark comprising at least the specific identifier of the cameraand the data block. Each camera thus outputs and transmits via thesecure communication network a watermarked video stream to the centralstation.

FIG. 3 shows a block schematic of a device according to the presentdisclosure such as a camera comprising a processor CPU associated with amemory M, a video sensor SE, a communication module TR and a mergingmodule MG. The processor CPU, the memory M and the merging module MG maybe regrouped in a secure chipset SCS.

The video sensor SE including a Charge-Coupled Device (CCD) or aComplementary Metal Oxide Semiconductor (CMOS) image sensor producesvideo data to be processed by the processor CPU. The communicationmodule TR may be configured to exchange data with the central station aswell as with other cameras on the secure network and to transmitprocessed video data in form of a modified video stream.

The processor CPU instructs the merging module MG for preparing andinserting additional data into the video data received from the videosensor SE according to a predetermined software program stored in thememory M. The software program is further configured to retrieve fromthe memory, generate, manage and transform various data to be used asadditional data before insertion into the video data. The video datamodified by the merging module MG with the additional data is thenforwarded to the communication module TR for transmission to the centralstation CST.

The merging module MG modifies the produced video data comprisingdisplayable frames to be displayed as images on a screen at the centralstation by inserting the additional data into at least some of thedisplayable frames. The additional data form a watermark that may bevisible or not by human eyes. The images may include as watermark forexample some visible pixels or any kind of mark preferably in anon-significative part of the image such as along the edges or in thecorners.

The watermark is used by the central station for verifying:

-   -   network integrity in order to check if all cameras are present        and able to operate,    -   device authenticity in order to determine if each camera is        identified by the central station to prevent any malicious        camera replacement on the network,    -   authenticity of video data produced by the camera in order to        determine if the image received by the central station        correspond to the images effectively captured by the camera.

The data block forming the watermark may comprise in addition to theidentifiers of the cameras belonging to the network, a network address,a network identifier, a position indicator or coordinates of the camera,a time stamp, etc. or any combination thereof.

According to an embodiment, a mathematical function may be applied byeach camera over the identifiers of all other cameras of the networkstored in the secure memory. The data block is then formed by theobtained result instead of the identifiers themselves. This mathematicalfunction may be for example a unidirectional collision free hashfunction known also by the central station so that the data block can berecalculated by the central station for verification. The watermarktherefore comprises a global hash calculated by each camera on all orpart of the identifiers of the cameras belonging to the network.

A watermark analyzer of the central station may extract the watermarkfrom the video streams received from each camera for analyzing andcomparing the received global hashes with a hash calculated over theidentifiers stored in the database DB associated with the centralstation. If the received global hashes match with the calculated hash,the network is considered, by the central station, as conform with allcameras present and operating. In case of mismatch, an alarm can beraised.

When the watermark, respectively the data block, contains, in additionto the global hash, additional data such as network addresses orposition coordinates of the cameras, the central station may checkconformity of this additional data by comparing the data extracted fromthe watermark with corresponding data retrieved from the database DB byusing the identifiers of the cameras.

The watermark may change periodically and the corresponding referencedata in the database DB updated consequently by the central station. Thecentral station may attribute periodically random identifiers to eachcamera, which calculates corresponding global hash before watermarkingthe produced video stream.

The central station CST may also monitor the cameras in the securenetwork by checking if updates of the data stored in the database DB arenecessary or not. For example, the central station may periodicallyinterrogate each camera for checking presence in the non-volatile memoryof the identifiers of the other cameras belonging to the securecommunication network.

In order to verify authenticity of the images, the watermark may furthercontain authentication data comprising a time code or a sequence numberand a corresponding image signature based on a sequence or a group ofconsecutive frames produced by a camera. For example, at a predefinedtime a sequence of frames having a certain length may be encoded to forma fingerprint which may be encrypted with a key known by the centralstation. The time code or sequence number may be preferablyunpredictable in order to prevent malicious replay of the sequence andfingerprint re-calculation. The time code or sequence number may becryptographically transformed or associated with a pseudo-random numberthat is generated by using a known initial value at a known time.

This encrypted fingerprint forms a signature which can be decrypted bythe central station for checking authenticity of the images receivedfrom a predefined camera. These images are thus verified as having beentransmitted by a specific camera only, without having been modified by athird party connected to the network. The fingerprint may also be formedby a hash calculated over data representing a predetermined sequence offrames.

The watermark may further contain a reference fingerprint calculated onone or more individual frames or on a complete sequence of framesshowing known images. The database DB may store these referencefingerprints based on typical images captured by each camera dependingon the area where the camera is located. The verification of thewatermark may be performed by using this reference fingerprint. In fact,a watermark analyzer of the central station carries out a search of agiven reference fingerprint corresponding to a particular camera in thereceived video stream. When the reference fingerprint has been found andmatches with the one retrieved from the database DB, the watermarkanalyzer may extract additional data such as identifiers, time stamps,signatures used for verification and validating authenticity of thereceived video stream. The authentication data may be also used fordefining position of a visible watermark in the image.

The verification of a sequence of frames serves to determine if thesequence corresponds to the images effectively captured by a camerawithout having been manipulated by addition, deletion or substitution offrames.

The watermark based on images authentication data may be periodicallyrenewed by changing parameters such as time code, sequence number orsequence duration or digest coding algorithm.

According to a further embodiment the watermark may be invisible byhuman eyes but machine readable. A technology based on encoding videodata blocks of the displayable frames with the additional data byapplying a predetermined watermarking algorithm may be used. Only acomputer based image analyzer will thus be able to localize, extract andread the watermark in a sequence of images. The image analyzer knowingthe watermarking algorithm used for encoding the video data blocks andbeing able to identify the encoded video data blocks can determine thewatermark representing the additional data. Depending on the type ofwatermarking algorithm, the watermark may be determined by comparingvideo data of the images sequence with video data of a reference imagessequence without watermark.

A further verification may be performed by the cameras to ensure thatthe central station or a terminal used as central station is authenticand not a fake terminal substituting the central station or terminal.This verification may be based on exchanges of messages containing anauthentication code in form of a signature specific to the centralstation and not reproducible by any other device. For example, anidentifier of the central station stored in the secure memory of eachcamera and encrypted by a key common to the cameras and the centralstation may be exchanged before video data processing.

In case of a large network with a set of a high number of cameras, thesize of the data block forming the watermark increases proportionally sothat the verification by the watermark analyzer is unnecessarily sloweddown. The authentication messages exchanged between the cameras and thecentral station also becoming numerous may cause issues related todecrease of data throughput and transmission speed. To solve thesepotential issues, the watermark may be applied only on particular groupsof frames instead on all frames produced by the cameras.

The set of a high number of cameras may be divided into subsets ofsmaller number of cameras. In this case the watermark may be based onlyon the identifiers of the cameras belonging to the subset and on anidentifier specific to the subset. For example, a set of 100 cameras maybe divided into 10 subsets of 10 cameras where each subset may have anidentifier depending on the location of the subset. The watermark maythus be based on the 10 identifiers of the cameras belonging to thesubset and an identifier of the subset or a hash calculated over theseidentifiers.

Although embodiments of the present disclosure have been described withreference to specific example embodiments, it will be evident thatvarious modifications and changes may be made to these embodimentswithout departing from the broader scope of these embodiments.Accordingly, the specification and drawings are to be regarded in anillustrative rather than a restrictive sense. The accompanying drawingsthat form a part hereof, show by way of illustration, and not oflimitation, specific embodiments in which the subject matter may bepracticed. The embodiments illustrated are described in sufficientdetail to enable those skilled in the art to practice the teachingsdisclosed herein. Other embodiments may be utilized and derived therefrom, such that structural and logical substitutions and changes may bemade without departing from the scope of this disclosure. The detaileddescription, therefore, is not to be taken in a limiting sense, and thescope of various embodiments is defined only by the appended claims,along with the full range of equivalents to which such claims areentitled.

Such embodiments of the inventive subject matter may be referred toherein, individually and/or collectively, by the term “disclosure”merely for convenience and without intending to voluntarily limit thescope of this application to any single inventive concept if more thanone is in fact disclosed. Thus, although specific embodiments have beenillustrated and described herein, it should be appreciated that anyarrangement calculated to achieve the same purpose may be substitutedfor the specific embodiments shown. This disclosure is intended to coverany and all adaptations or variations of various embodiments.Combinations of the above embodiments, and other embodiments notspecifically described herein, will be apparent to those of skill in theart upon reviewing the above description.

The invention claimed is:
 1. A method for securing transmission ofdigital data in a communication network, the network comprising acentral station and at least one device monitored by the central stationvia the network, the at least one device being configured to produce andto transmit a digital data stream to the central station, the methodcomprising: receiving information specific to the at least one device,and storing said information into a secure non-volatile memory of the atleast one device; forming by the at least one device a data block basedon at least the device specific information stored in the securenon-volatile memory; merging by the at least one device additional datawith the digital data stream produced by said device, the additionaldata comprising at least the previously formed data block, obtaining amodified digital data stream; and transmitting by the at least onedevice the modified digital data stream to the central station.
 2. Themethod according to claim 1, wherein the central station monitors atleast one first and second device via the network, the at least onefirst and second device being configured to communicate with each other.3. The method according to claim 2, wherein the device specificinformation of the first device is provided to the second device and thedevice specific information of the second device is provided to thefirst device, the at least one first and second device each storing thedevice specific information of the first and second device in the securenon-volatile memory.
 4. The method according to claim 2 wherein eachdevice receives, in a network setup phase, device specific informationfrom all the other devices belonging to the network.
 5. The methodaccording to claim 1, wherein the device specific information comprisesa unique identifier of the device or a device Media Access Control (MAC)address or an identifier of a chip integrated in the device or acombination thereof.
 6. The method according to claim 1 wherein thecentral station attributes, in a network setup phase, device specificinformation comprising a unique identifier to each device belonging tothe network and transmits all attributed unique identifiers to eachdevice via a secure transmission link.
 7. The method according to claim1 wherein the additional data comprises a time stamp including currentdate and time, the device specific information and a digest based on allthe device specific information of the devices belonging to the network.8. The method according to claim 7 wherein the digest is formed byapplying a hash function on all or part of the device specificinformation of the devices belonging to the network, said devicespecific information being stored in the secure non-volatile memory ofeach device.
 9. The method according to claim 1 wherein the at least onedevice includes at least one camera monitored by the central station viathe network, the at least one camera being configured to produce andtransmit a digital video stream to the central station, the methodcomprising: receiving a camera specific identifier by the at least onecamera, and storing said information into a secure non-volatile memoryof the at least one camera; forming by the at least one camera a datablock based on at least the camera specific identifier stored in thesecure non-volatile memory; merging by the at least one cameraadditional data with the digital data stream produced by said camera,the additional data comprising at least the previously formed datablock, obtaining a modified video stream; and transmitting by the atleast one camera the modified digital video stream to the centralstation.
 10. The method according to claim 1, wherein the centralstation monitors at least one first and second camera via the network,the at least one first and second camera being configured to communicatewith each other.
 11. The method according to claim 10 furthercomprising: providing to the first camera the camera specific identifierof the second camera and providing to the second camera the devicespecific identifier of the first camera, storing said identifiers intothe secure non-volatile memory of each camera; forming by the first andsecond camera a data block based on at least the camera specificidentifier of the first and second camera stored in the securenon-volatile memory of each camera; and merging by each cameraadditional data in form of a watermark with the digital video streamproduced by said camera, the watermark comprising at least the specificidentifier of the camera and the previously formed data block, obtaininga watermarked digital video stream, transmitting by each camera thewatermarked digital video stream to the central station.
 12. A camerafor producing a digital video data stream in a communication network,the network comprising a central station and at least another cameramonitored by the central station via the network, the camera comprising:a video sensor configured to produce the digital video data stream; aprocessor; a merging module; a secure non-volatile memory configured tostore at least a device specific identifier; and a communication moduleconfigured to communicate to the at least another camera and to thecentral station and to receive a camera specific identifier of the atleast other camera of the network and to store said camera specificidentifier into the secure non-volatile memory; wherein the processor isfurther configured to retrieve from the secure non-volatile memory thecamera specific identifier and the specific identifier of the at leastother camera and to form a data block based on at least saididentifiers; and wherein the merging module is configured to mergeadditional data in a form of a watermark with the produced digital videodata stream, the watermark comprising at least the specific identifierof the camera and the previously formed data block, and to obtain awatermarked digital video data stream, and wherein the communicationmodule is further configured to transmit the watermarked digital videodata stream to the central station.
 13. The camera according to claim 12wherein the additional data comprises a time stamp including currentdate and time, a position indicator or coordinates of the camera, thedevice specific identifier and a digest based on all or part of theidentifiers of the cameras belonging to the network.
 14. The cameraaccording to claim 12 wherein the watermark further containsauthentication data comprising a time code or a sequence number and acorresponding image signature based on a sequence of consecutive videoframes extracted from the digital video data produced by the videosensor of the camera, the image signature including a fingerprint of thesequence encrypted by a key known by the central station.